On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
> Hi List,
> I have working setup of one AD, one IPA server and one client server. by
> default i can login to client server by using AD username.
> i want to apply HBAC rules against this client server. For that i have done
> below steps.
> 1. created External group in IPA erver
> 2. created local POSIX group n IPA server
> 3. Added AD group to external group
> 4. added POSIX group to external group.
> After that have created HBAC rule by adding both local and external IPA
> groups, added sshd as service and selected service group as sudo.
> i have applied this HBAC rule to client server and from web UI and while
> testing HBAC from web, i am getting access denied .
Sorry, not enough info.
One guess would be that you need to add the "sudo-i" service as well.
The other is that the groups might not show up on the client (do they?)
Anyway, it might be good idea to follow
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project